Local Firewall Rules (iptables/nftables)

Location

Description

Host-based firewall rulesets defining allowed and blocked network traffic. iptables (legacy) and nftables (modern replacement) rules control inbound and outbound connections, NAT, and packet manipulation at the kernel level.

Forensic Value

Firewall rule analysis reveals attacker modifications to open backdoor ports, permit C2 traffic, or block security tool communications. Comparing running rules (iptables-save) against persistent configuration files detects runtime-only modifications that disappear on reboot. Rules allowing inbound connections on non-standard ports indicate backdoor listeners. NAT rules may reveal traffic tunneling or port forwarding set up for pivoting. An empty or disabled firewall on a production server that should have rules is itself an indicator of tampering.

Tools Required

Collection Commands

iptables-save > /forensics/output/iptables_rules.txt

nft list ruleset > /forensics/output/nftables_rules.txt

cp /etc/iptables/rules.v4 /etc/sysconfig/iptables /etc/nftables.conf /forensics/output/ 2>/dev/null

iptables -L -n -v --line-numbers > /forensics/output/iptables_verbose.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.

MITRE ATT&CK Techniques

References